ExploreZip
ExploreZip, also known as Zipped Files is a mass-mailer worm that appeared in late spring of 1999, only months after CIH and Melissa. It has a malicious payload that destroys certain files. The worm supposedly hit less computers than Melissa, while causing more damage. Behavior ExploreZip arrives in an email with the following text: Hi ! I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. bye, (or) sincerely, The attachment is named Zipped_files.exe. When executed, ExploreZip displays a message saying that the zip archive is invalid. The message is always in English, but the OK button is in the language that the particular computer being infected is set to. The worm copies itself to the Windows System Folder under the name Explore.exe or _setup.exe. The worm may also be found in a temporary folder, or email attachments folder, depending on the mail client the computer uses. It will modify the Win.ini file in Windows 95/98 and add its file name to the Current User registry key in Windows NT, 2000 and XP, which will cause the worm to run when the computer starts up (not ...\CurrentVersion\Run, like most worms, but rather ...\CurrentVersion\Windows). ExploreZip searches for files on drives C to Z of the infected computer and any drives accessable through networks for files with .h, .c, .cpp, .asm (these first four are types of source code), .doc, .ppt, or .xls (Microsoft Office documents, presentations and spreadsheets). The worm then calls CreateFile(), which makes those files 0 bytes long. The files are unrecoverable. New files created after the worm infection will be deleted until the worm is removed. The user may notice the increased hard drive activity. The worm replies to all unread messages in the inbox and marks the message as read so it will not send itself to that email address from the present computer again. The worm will send its reply to every new email the computer receives until it is removed. It will also copy itself to the Windows or WINNT folders of computers on the presently infected computer's network. Variants ExploreZip.B ExploreZip.B is a worm that utilizes MAPI-capable email programs on Windows systems to propagate itself. The worm emails itself out as an attachment with the filename File_zippati.exe . The body of the e-mail message may appear to come from a known email correspondent. Once the attachment is executed, it will unpack itself and execute the original ExploreZip routine. It displays an error message informing the user that the file is not a valid archive at the first time of execution. The worm proceeds to copy itself to the c:\windows\system (or SYSTEM32) directory with the filename drvssrv.exe or (_saver.scr), and then modifies the WIN.INI file so that the program is executed each time Windows is started. The worm then utilizes your e-mail client to harvest email addresses in order to propagate itself. Users may notice their email client launches when this occurs. ExploreZip.C ExploreZip.C is a worm that utilizes MAPI-capable email programs on Windows systems to propagate itself. The worm emails itself out as an attachment with the filename dinheiro.scs.exe . The body of the e-mail message may appear to come from a known email correspondent. Once the attachment is executed, it will unpack itself and execute the original ExploreZip routine. It displays an error message informing the user the file is not a valid archive at the first time of execution. ExploreZip.E ExploreZip.E is a worm that is compressed with UPX file compressor. ExploreZip.E is functionally similar to the original ExploreZip. The main difference is that the virus code has been repacked to make it undetectable to current scanners. ExploreZip.F ExploreZip.F is a worm that contains a malicious payload. The worm uses Microsoft Outlook, Outlook Express, and Exchange to mail itself by replying to unread messages in the inbox. The email attachment is Zipped_files.exe, and its size is 210,432 bytes. The worm searches the mapped drives and networked computers for Windows installations, copies itself to the Windows folder of the remote computer, and modifies the Win.ini file. ExploreZip.L ExploreZip.L is a worm that contains a malicious payload. The file has been repacked to make it more difficult to detect with older, existing antivirus software. This worm is packed with the UPX file format, version 0.76.1-1.24. The worm uses Microsoft Outlook, Outlook Express, or Exchange to mail itself, by replying to unread messages in the Inbox. The email attachment is titled Zipped_files.exe. ExploreZip.L also searches the mapped drives and network computers for Windows installations. If they are found, the worm copies itself to the \Windows folder of the remote computer, and then modifies the Win.ini file of the infected computer. Media Effects The worm caused more damage than CIH and Melissa, in spite of infecting fewer computers. This is probably because Melissa lacked any truly malicious payload, while CIH was a virus lacking an ability to spread over email or networks. It was also a bit slower in spreading than Melissa. General Electric and several other companies shut down their email systems for fear of getting the worm. BBC was hit by a variant of the worm almost four years after the original was released, causing the organization to restrict the size of emails that could be sent through its network. Other Facts Explorezip is the first worm to be compressed with a packer such as UPX. Even with the compression, it is still a very large worm weighing in at around 210,432 bytes. Other worms created shortly afterward, such as Navidad were much smaller. The worm changes its body with each new replication, yet remains detectable. Sources White Paper. Cisco Systems "Protecting IP Communications with Integrated Security Solutions" Eric Chien. Symantec.com "Worm.ExploreZip" Tim Richardson. The Register, Have you got worms? 1999.06.11 Peter Szor. The Art of Computer Virus Defense and Research, pp. 235, 541. Symantec Press, Addison Wesley, Pearson Press: Upper Saddle River, New Jersey, USA. 2005 ISBN 0-321-30454-3 Amy K. Larsen. Information Week, "Worm Virus Wreaks Havoc". 1999.06.10 Tim Clark. CNet News, "Virus Hit Fewer Machines Did More Damage". 1999.06.15 Iain Thomson. Vnunet.com, Auntie's bloomer lets in nasty virus. 2003.01.10 F-Prot Antivirus Virus Information, W32/ExploreZip.E it:ExploreZip Category:Worm Category:Email worm Category:Mass mailer worm Category:Billion dollar damage Category:Delphi Category:First Category:Win32 Category:Win32 worm Category:Microsoft Windows